Developer Sneaks Fake Apps Into Android Market

Below:

Next story in Security

A batch of malicious apps crept into the legitimate Android App
Market over the weekend. Despite some telltale signs they were
fake, the apps managed to exploit those who made the mistake of
downloading them.

Using the name "Logastrod," the developer offered several popular
apps including "Angry Birds," "Cut the Rope," "Shoot the Birds"
and "Assassin's Creed Revelations," many of which were available
for free, according to DroidGamers.

Behind their innocent facade, the cloned apps hid a secret weapon
— they compromised customers' smartphones by using them to send
premium-rate text messages to the tune of about $20. "The texts
are notifications that the user has been charged around $5, but
you end up getting 3-4 of them in one shot," DroidGamers wrote.
"A free download just became a $20 purchase."

"Premium rate" text-message services are similar to the old "976"
numbers that plagued North American telephone users in the 1990s,
racking up huge charges for short calls. But the premium text
services are rare in the United States, where there's a 30-day
lag time between a message being sent and the subsequent bill
collection. In Russia and some other European countries, however,
the services are easy to set up, and the billing turnaround time
is much shorter, offering a huge opportunity for low-level
thieves.

Logastrod's page in the Android App Market was taken down, but
this morning (Dec. 12) Mikko Hypponen from the security firm
F-Secure found them under another name,
"Miriada Production." (Miriada Production's page has since
been taken down.)

"There could be several such accounts in the Android Market,
turning Google's security efforts into a game of "Whack-a-Mole,"
Hypponen wrote.

Glaring errors in these cloned apps, captured in a screenshot, highlight the already widely
publicized weaknesses in the Android platform.

The screenshot shows the same logo used for both "Cut the Rope,"
"Assassin's Creed Revelations" and "Where's My Water?" while
"World of Goo" and "Need for Speed" also share a logo. A
discussion thread on Reddit explained that the apps, many of
which have a four or five-star rating, are nearly identical in
size, around 56 kilobytes. A real app for a graphics-heavy
game like "Assassin's Creed," would be several megabytes.

Simply by getting his phony apps into the official market,
Logastrod shined a light on inherent flaws in Android's
open-source model, which puts the onus on the developers to
ensure their apps are safe, as opposed to Apple, which thoroughly
vets all apps before they make it to the iTunes store. Before you
download any Android app, read the user ratings and reviews and
check to see if you're comfortable with the permissions it
requests. If an app looks suspicious or has received questionable
reviews, stay away from it.